1 / 33

Securing Windows Store applications and REST services with Active Directory

Securing Windows Store applications and REST services with Active Directory. Vittorio Bertocci - @ vibronet Principal Program Manager 3-518. Building a Modern Business App. Resource. Resource. App. Checklist. Tackle those, and you’ve got yourself a nice business app.

harsha
Download Presentation

Securing Windows Store applications and REST services with Active Directory

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing Windows Store applicationsand REST services with Active Directory Vittorio Bertocci - @vibronet Principal Program Manager 3-518

  2. Building a Modern Business App Resource Resource App

  3. Checklist • Tackle those, and you’ve got yourself a nice business app. • Access resources outside of the corporate network. • Handle authentication and session mechanics. • Apply access policies on non-domain joined devices.

  4. Access resources outside of the corporate network

  5. REST, OAuth2 authorization server authorization endpoint token endpoint A 4 A Resource R App

  6. Windows Azure Active Directory Management Portal Windows Azure Active Directory OAuth2 SAML-P WS-Federation Metadata Graph API Contoso’s tenant Dir Sync A M Contoso’s On-Premises Directory

  7. Clientsand Resources in Windows Azure AD • Registration • Today - via Graph Explorer • Soon - via Windows Azure Portal Resource Resource App App

  8. Demo

  9. ADFS in Windows Server 2012 R2 • New! OAuth2 code grant • Resources represented as classic Relying Party Trust entries • Clients registered via PowerShell • No permission table entry necessary • Support for JWT format • New! Registered devices authentication • More details later in the session

  10. Demo

  11. Checklist • Tackle those, and you’ve got yourself a nice business app. • Access resources outside of the corporate network. • Use OAuth2. • Register client app and resources in Active Directory • Get and use access tokens • Handle authentication and session mechanics. • Apply access policies on non-domain joined devices.

  12. Handle authentication and session mechanics

  13. Windows Azure Authentication Library (AAL) • Helps developers to add authentication capabilities to rich client apps • User authentication experience • Obtaining tokens • Token lifecycle management (caching, automatic token refresh, etc) • Assisted authority discovery • Works with both Windows Azure AD and Windows Server 2012 R2 ADFS • Ships out of band as NuGet package • .NET and Windows Store in developer preview • details here • download from VS2012 or here

  14. Windows Azure Authentication Library • AAL is a Windows Runtime Component JS/HTML5Windows Store App C#Windows Store App Application AAL for Windows Store .WINMD Windows Runtime (WinRT) System OS

  15. Essential AAL Usage (C#) Authenticate the user to get a token AuthenticationContextaCtx =new AuthenticationContext("https://login.windows.net/contoso.onmicrosoft.com"); AuthenticationResultresult = awaitauthorizationContext.AcquireTokenAsync("http://host.com/shipmentservice", clientID); Use the token to invoke a REST service HttpClienthttpClient = new HttpClient(); httpClient.DefaultRequestHeaders.Authorization = newAuthenticationHeaderValue("Bearer", result.AccessToken); //...

  16. Demo

  17. Notes on User Experience • AAL wraps the WebAuthenticationBroker API in WinRT • New in Windows 8.1: built-in account selection experience • See Karanbir’ssession later today (3-113)

  18. Demo

  19. AAL Cache Key Key Value Value • AAL for Windows Store offers a persistent token cache Authority Authority ClientID ClientID Expiration Expiration AccessToken AccessToken Resource Resource User User RefreshToken RefreshToken

  20. AAL Cache refresh token? prompt the user via WebAuthenticationBroker [authority], resource, clientid, user use the refresh token to refresh the access token matching cache entry? success? success? YES YES YES YES YES valid access token? cache access token, refresh token, validity replace cache entry NO NO NO NO NO return error info return cache entry

  21. Checklist • Tackle those, and you’ve got yourself a nice business app. • Access resources outside of the corporate network. • Use OAuth2. • Register client app and resources in Active Directory • Get and use access tokens • Handle authentication and session mechanics. • Use the Windows Azure Authentication Library. • Apply access policies on non-domain joined devices.

  22. Apply access policies on non-domain joined devices

  23. Workplace-join in Windows 8.1 • Especially useful for • user-owned devices • Devices incapable of joining a domain • Allows administrator to apply access control policies in a wide range of scenariosWorkplace-join ability available directly in Windows 8.1

  24. Workplace Join Mechanics Users can enroll devices which configure the device for management with Windows Intune. The user can then use the Company Portal for easy access to corporate applications Data from Windows Intuneis sync with Configuration Manager which provides unified management across both on-premises and in the cloud Active Authentication Users can register BYO devices for single sign-on and access to corporate data with Workplace Join. As part of this, a certificate is installed on the device ADFS Web Application Proxy As part of the registration process, a new device object is created in Active Directory, establishing a link between the user and their device IT can publish access to corporate resources with the Web Application Proxy based on device awareness and the users identity. Multi-factor authentication can be used through Windows Azure Active Authentication. Active Directory 25

  25. Using Device Authentication Info to Drive Access • Some constraints about how authentication should take place to apply device-aware access policies • On the client • Ensure your app manifest has the right capabilities • WebAuthenticationBroker should be invoked in SSO modeIn AAL: you should use the AcquireTokenAsync(resource, clientid) overload • In ADFS • Server-wide: enable device authentication • Per-RP: Add device-related issuance authorization rules

  26. Demo

  27. Checklist • Tackle those, and you’ve got yourself a nice business app. • Access resources outside of the corporate network. • Use OAuth2. • Register client app and resources in Active Directory • Get and use access tokens • Handle authentication and session mechanics. • Use the Windows Azure Authentication Library. • Apply access policies on non-domain joined devices. • Use Windows 8.1 Workplace-join and ADFS rules.

  28. In summary

  29. all you need to build great modern business app Active Directory Resource Windows AzureAuthentication Library Active Directory App

  30. Resources • Windows Azure AD home • Window Server AD home • Windows Azure and Windows Server AD Team Blog • Windows azure AD Walkthroughs • Find me: • On twitter - @vibronet • On the web – www.cloudidentity.com

  31. Required Slide *delete this box when your slide is finalized Your MS Tag will be inserted here during the final scrub. Evaluate this session • Scan this QR codeto evaluate this session and be automatically entered in a drawing to win a prize!

More Related